Ubuntu
linux package

Ubuntu 5.4.0-117.132-generic 5.4.189 has BUG: kernel NULL pointer dereference, address: 0000000000000034

Bug #1978719 reported by wyatt earp on 2022-06-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Undecided	Unassigned
	Focal	Fix Released	Medium	wyatt earp

Bug Description

The 5.4.0 series of the Ubuntu kernel has missed a patch which resolves a null dereference:

[104602.951260] BUG: kernel NULL pointer dereference, address: 0000000000000034
[104602.951263] #PF: supervisor write access in kernel mode
[104602.951264] #PF: error_code(0x0002) - not-present page
[104602.951266] PGD 0 P4D 0
[104602.951269] Oops: 0002 [#1] SMP PTI
[104602.951272] CPU: 6 PID: 176572 Comm: ThreadPoolForeg Kdump: loaded Tainted: P OE 5.4.0-117-generic #132-Ubuntu
[104602.951273] Hardware name: System manufacturer System Product Name/P8P67 LE, BIOS 3801 09/12/2013
[104602.951278] RIP: 0010:unlink_anon_vmas+0x3e/0x1b0
[104602.951280] Code: 54 53 48 83 ec 08 48 8b 47 78 48 89 7d d0 48 8b 30 49 39 c5 0f 84 5e 01 00 00 4c 8d 78 f0 4c 8d 66 f0 31 db eb 21 49 8b 46 38 <83> 68 34 01 49 8b 44 24 10 49 8d 54 24 10 4d 89 e7 48 83 e8 10 49
[104602.951281] RSP: 0018:ffffc00908703bd8 EFLAGS: 00010246
[104602.951283] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[104602.951284] RDX: 0000000000000000 RSI: ffff99e8e5815c48 RDI: 0000000000000000
[104602.951286] RBP: ffffc00908703c08 R08: 0000000000000001 R09: ffffffffae665f00
[104602.951287] R10: ffff99eb808bd6c0 R11: 0000000000000001 R12: ffff99eb0fda27b8
[104602.951288] R13: ffff99eb0fda27c8 R14: ffff99e8e5815c08 R15: ffff99e7ee7af6c0
[104602.951290] FS: 0000000000000000(0000) GS:ffff99eb8eb80000(0000) knlGS:0000000000000000
[104602.951291] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[104602.951293] CR2: 0000000000000034 CR3: 000000037ae0a005 CR4: 00000000000606e0
[104602.951294] Call Trace:
[104602.951299] free_pgtables+0x93/0xf0
[104602.951301] exit_mmap+0xc7/0x1b0
[104602.951304] mmput+0x5d/0x130
[104602.951306] do_exit+0x31a/0xaf0
[104602.951309] do_group_exit+0x47/0xb0
[104602.951312] get_signal+0x169/0x890
[104602.951315] do_signal+0x34/0x6c0
[104602.951318] ? _copy_from_user+0x3e/0x60
[104602.951321] ? __x64_sys_futex+0x13f/0x170
[104602.951324] exit_to_usermode_loop+0xbf/0x160
[104602.951327] do_syscall_64+0x163/0x190
[104602.951330] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[104602.951332] RIP: 0033:0x7f58d1db27d1
[104602.951335] Code: Bad RIP value.
[104602.951336] RSP: 002b:00007f58c6987370 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[104602.951338] RAX: fffffffffffffdfc RBX: 00007f58c69875e8 RCX: 00007f58d1db27d1
[104602.951339] RDX: 0000000000000000 RSI: 0000000000000089 RDI: 00007f58c6987600
[104602.951340] RBP: 00007f58c69875d8 R08: 0000000000000000 R09: 00000000ffffffff
[104602.951341] R10: 00007f58c6987460 R11: 0000000000000246 R12: 00007f58c69875fc
[104602.951343] R13: 00007f58c69875b0 R14: 00007f58c6987600 R15: 00007f58c69873c0

The patch was posted back in 2021 the linux kernel mailing lists: https://lore.kernel.org/linux-mm/20210224200449.hkU5GTEiH%<email address hidden>/

The defect is:
Date: Wed, 24 Feb 2021 12:04:49 -0800 [thread overview]
Message-ID: <20210224200449.hkU5GTEiH%<email address hidden>> (raw)
In-Reply-To: <email address hidden>

From: Li Xinhai <email address hidden>
Subject: mm: rmap: explicitly reset vma->anon_vma in unlink_anon_vmas()

In case the vma will continue to be used after unlink its relevant
anon_vma, we need to reset the vma->anon_vma pointer to NULL. So, later
when fault happen within this vma again, a new anon_vma will be prepared.

By this way, the vma will only be checked for reverse mapping of pages
which been fault in after the unlink_anon_vmas call.

Currently, the mremap with MREMAP_DONTUNMAP scenario will continue use the
vma after moved its page table entries to a new vma. For other scenarios,
the vma itself will be freed after call unlink_anon_vmas.

Link: https://<email address hidden>
Signed-off-by: Li Xinhai <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: Brian Geffon <email address hidden>
Cc: Kirill A. Shutemov <email address hidden>
Cc: Lokesh Gidra <email address hidden>
Cc: Minchan Kim <email address hidden>
Cc: Vlastimil Babka <email address hidden>
Signed-off-by: Andrew Morton <email address hidden>
---

mm/rmap.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

--- a/mm/rmap.c~mm-rmap-explicitly-reset-vma-anon_vma-in-unlink_anon_vmas
+++ a/mm/rmap.c
@@ -413,8 +413,15 @@ void unlink_anon_vmas(struct vm_area_str
   list_del(&avc->same_vma);
   anon_vma_chain_free(avc);
  }
- if (vma->anon_vma)
+ if (vma->anon_vma) {
   vma->anon_vma->degree--;
+
+ /*
+ * vma would still be needed after unlink, and anon_vma will be prepared
+ * when handle fault.
+ */
+ vma->anon_vma = NULL;
+ }
  unlock_anon_vma_root(root);

The Linux 5.4 package that Ubuntu is currently running on the latest kernel has the following code:
if (vma->anon_vma)
vma->anon_vma->degree--;
unlock_anon_vma_root(root);

This is the 3rd time I've encountered the crash.

root@lazarus:/var/crash/202206141315# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal

Tags:

CVE References

2022-1789

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-06-14: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1978719

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

Revision history for this message

Tim Gardner (timg-tpi) wrote on 2022-06-14:

Patch submitted for review: https://lists.ubuntu.com/archives/kernel-team/2022-June/130974.html

Changed in linux (Ubuntu Focal):
importance:	Undecided → Medium
status:	New → In Progress
Changed in linux (Ubuntu):
status:	Incomplete → Fix Released
Changed in linux (Ubuntu Focal):
assignee:	nobody → wyatt earp (wyatt-hackerforhire)

Revision history for this message

wyatt earp (wyatt-hackerforhire) wrote on 2022-06-14:

Thank you for the prompt response!

Stefan Bader (smb) on 2022-06-21

Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-06-29:

This bug is awaiting verification that the linux/5.4.0-122.138 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-focal

Revision history for this message

Tim Gardner (timg-tpi) wrote on 2022-07-07:

@Wyatt - please confirm that this kernel fixes the problem.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-07-11:

Download full text (14.2 KiB)

This bug was fixed in the package linux - 5.4.0-122.138

---------------
linux (5.4.0-122.138) focal; urgency=medium

* focal/linux: 5.4.0-122.138 -proposed tracker (LP: #1979489)

  * Remove SAUCE patches from test_vxlan_under_vrf.sh in net of
    ubuntu_kernel_selftests (LP: #1975691)
    - Revert "UBUNTU: SAUCE: selftests: net: Don't fail test_vxlan_under_vrf on
      xfail"
    - Revert "UBUNTU: SAUCE: selftests: net: Make test for VXLAN underlay in non-
      default VRF an expected failure"

  * Enable Asus USB-BT500 Bluetooth dongle(0b05:190e) (LP: #1976613)
    - Bluetooth: btusb: Add flag to define wideband speech capability
    - Bluetooth: btrtl: Add support for RTL8761B
    - Bluetooth: btusb: Add 0x0b05:0x190e Realtek 8761BU (ASUS BT500) device.

  * [UBUNTU 20.04] rcu stalls with many storage key guests (LP: #1975582)
    - s390/gmap: voluntarily schedule during key setting
    - s390/mm: use non-quiescing sske for KVM switch to keyed guest

  * Ubuntu 5.4.0-117.132-generic 5.4.189 has BUG: kernel NULL pointer
    dereference, address: 0000000000000034 (LP: #1978719)
    - mm: rmap: explicitly reset vma->anon_vma in unlink_anon_vmas()

This bug was fixed in the package linux - 5.4.0-122.138

---------------
linux (5.4.0-122.138) focal; urgency=medium

* focal/linux: 5.4.0-122.138 -proposed tracker (LP: #1979489)

* [UBUNTU 20.04] rcu stalls with many storage key guests (LP: #1975582)
    - s390/gmap: voluntarily schedule during key setting
    - s390/mm: use non-quiescing sske for KVM switch to keyed guest

* Ubuntu 5.4.0-117.132-generic 5.4.189 has BUG: kernel NULL pointer
    dereference, address: 0000000000000034 (LP: #1978719)
    - mm: rmap: explicitly reset vma->anon_vma in unlink_anon_vmas()

* Focal update: upstream stable patchset v5.4.192 (LP: #1979014)
    - floppy: disable FDRAWCMD by default
    - [Config] updateconfigs for BLK_DEV_FD_RAWCMD
    - hamradio: defer 6pack kfree after unregister_netdev
    - hamradio: remove needs_free_netdev to avoid UAF
    - lightnvm: disable the subsystem
    - [Config] updateconfigs for NVM, NVM_PBLK
    - usb: mtu3: fix USB 3.0 dual-role-switch from device to host
    - USB: quirks: add a Realtek card reader
    - USB: quirks: add STRING quirk for VCOM device
    - USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS
    - USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader
    - USB: serial: option: add support for Cinterion MV32-WA/MV32-WB
    - USB: serial: option: add Telit 0x1057, 0x1058, 0x1075 compositions
    - xhci: stop polling roothubs after shutdown
    - xhci: increase usb U3 -> U0 link resume timeout from 100ms to 500ms
    - iio: dac: ad5592r: Fix the missing return value.
    - iio: dac: ad5446: Fix read_raw not returning set value
    - iio: magnetometer: ak8975: Fix the error handling in ak8975_power_on()
    - usb: misc: fix improper handling of refcount in uss720_probe()
    - usb: typec: ucsi: Fix role swapping
    - usb: gadget: uvc: Fix crash when encoding data for usb request
    - usb: gadget: configfs: clear deactivation flag in
      configfs_composite_unbind()
    - usb: dwc3: core: Fix tx/rx threshold settings
    - usb: dwc3: gadget: Return proper request status
    - serial: imx: fix overrun interrupts in DMA mode
    - serial: 8250: Also set sticky MCR bits in console restoration
    - serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device
    - arch_topology: Do not set llc_sibling if llc_id is invalid
    - hex2bin: make the function hex_to_bin constant-time
    - hex2bin: fix access beyond string end
    - video: fbdev: udlfb: properly check endpoint type
    - arm64: dts: meson: remove CPU opps below 1GHz for G12B boards
    - arm64: dts: meson: remove CPU opps below 1GHz for SM1 boards
    - mtd: rawnand: fix ecc parameters for mt7622
    - USB: Fix xhci event ring dequeue pointer ERDP update issue
    - ARM: dts: imx6qdl-apalis: Fix sgtl5000 detection issue
    - phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe
    - phy: samsung: exynos5250-sata: fix missing device put in probe error paths
    - ARM: OMAP2+: Fix refcount leak in omap_gic_of_init
    - phy: ti: omap-usb2: Fix error handling in omap_usb2_enable_clocks
    - ARM: dts: at91: Map MCLK for wm8731 on at91sam9g20ek
    - phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe
    - phy: ti: Add missing pm_runtime_disable() in serdes_am654_probe
    - ARM: dts: Fix mmc order for omap3-gta04
    - ARM: dts: am3517-evm: Fix misc pinmuxing
    - ARM: dts: logicpd-som-lv: Fix wrong pinmuxing on OMAP35
    - ipvs: correctly print the memory size of ip_vs_conn_tab
    - mtd: rawnand: Fix return value check of wait_for_completion_timeout
    - bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt
      hook
    - tcp: md5: incorrect tcp_header_len for incoming connections
    - tcp: ensure to use the most recently sent skb when filling the rate sample
    - sctp: check asoc strreset_chunk in sctp_generate_reconf_event
    - ARM: dts: imx6ull-colibri: fix vqmmc regulator
    - arm64: dts: imx8mn-ddr4-evk: Describe the 32.768 kHz PMIC clock
    - pinctrl: pistachio: fix use of irq_of_parse_and_map()
    - cpufreq: fix memory leak in sun50i_cpufreq_nvmem_probe
    - net: hns3: add validity check for message data length
    - net/smc: sync err code when tcp connection was refused
    - ip_gre: Make o_seqno start from 0 in native mode
    - tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT
    - bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create()
    - clk: sunxi: sun9i-mmc: check return value after calling
      platform_get_resource()
    - net: bcmgenet: hide status block before TX timestamping
    - net: dsa: lantiq_gswip: Don't set GSWIP_MII_CFG_RMII_CLK
    - drm/amd/display: Fix memory leak in dcn21_clock_source_create
    - tls: Skip tls_append_frag on zero copy size
    - bnx2x: fix napi API usage sequence
    - ixgbe: ensure IPsec VF<->PF compatibility
    - tcp: fix F-RTO may not work correctly when receiving DSACK
    - ASoC: wm8731: Disable the regulator when probing fails
    - ip6_gre: Avoid updating tunnel->tun_hlen in __gre6_xmit()
    - x86: __memcpy_flushcache: fix wrong alignment if size > 2^32
    - cifs: destage any unwritten data to the server before calling
      copychunk_write
    - drivers: net: hippi: Fix deadlock in rr_close()
    - net: ethernet: stmmac: fix write to sgmii_adapter_base
    - x86/cpu: Load microcode during restore_processor_state()
    - tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2
    - tty: n_gsm: fix malformed counter for out of frame data
    - netfilter: nft_socket: only do sk lookups when indev is available
    - tty: n_gsm: fix insufficient txframe size
    - tty: n_gsm: fix missing explicit ldisc flush
    - tty: n_gsm: fix wrong command retry handling
    - tty: n_gsm: fix wrong command frame length field encoding
    - tty: n_gsm: fix incorrect UA handling
    - hugetlbfs: get unmapped area below TASK_UNMAPPED_BASE for hugetlbfs
    - mm, hugetlb: allow for "high" userspace addresses
    - Linux 5.4.192

* CVE-2022-1789
    - KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID

* Focal update: v5.4.191 upstream stable release (LP: #1976116)
    - etherdevice: Adjust ether_addr* prototypes to silence -Wstringop-overead
    - mm: page_alloc: fix building error on -Werror=array-compare
    - tracing: Dump stacktrace trigger to the corresponding instance
    - gfs2: assign rgrp glock before compute_bitstructs
    - tcp: fix race condition when creating child sockets from syncookies
    - tcp: Fix potential use-after-free due to double kfree()
    - ALSA: usb-audio: Clear MIDI port active flag after draining
    - ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek
    - ASoC: msm8916-wcd-digital: Check failure for devm_snd_soc_register_component
    - dmaengine: imx-sdma: Fix error checking in sdma_event_remap
    - dmaengine: mediatek:Fix PM usage reference leak of
      mtk_uart_apdma_alloc_chan_resources
    - igc: Fix infinite loop in release_swfw_sync
    - igc: Fix BUG: scheduling while atomic
    - rxrpc: Restore removed timer deletion
    - net/smc: Fix sock leak when release after smc_shutdown()
    - net/packet: fix packet_sock xmit return value checking
    - net/sched: cls_u32: fix possible leak in u32_init_knode()
    - l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using
      netdev_master_upper_dev_get_rcu
    - netlink: reset network and mac headers in netlink_dump()
    - selftests: mlxsw: vxlan_flooding: Prevent flooding of unwanted packets
    - ARM: vexpress/spc: Avoid negative array index when !SMP
    - reset: tegra-bpmp: Restore Handle errors in BPMP response
    - platform/x86: samsung-laptop: Fix an unsigned comparison which can never be
      negative
    - ALSA: usb-audio: Fix undefined behavior due to shift overflowing the
      constant
    - vxlan: fix error return code in vxlan_fdb_append
    - cifs: Check the IOCB_DIRECT flag, not O_DIRECT
    - mt76: Fix undefined behavior due to shift overflowing the constant
    - brcmfmac: sdio: Fix undefined behavior due to shift overflowing the constant
    - dpaa_eth: Fix missing of_node_put in dpaa_get_ts_info()
    - drm/msm/mdp5: check the return of kzalloc()
    - net: macb: Restart tx only if queue pointer is lagging
    - scsi: qedi: Fix failed disconnect handling
    - stat: fix inconsistency between struct stat and struct compat_stat
    - EDAC/synopsys: Read the error count from the correct register
    - oom_kill.c: futex: delay the OOM reaper to allow time for proper futex
      cleanup
    - ata: pata_marvell: Check the 'bmdma_addr' beforing reading
    - dma: at_xdmac: fix a missing check on list iterator
    - drm/panel/raspberrypi-touchscreen: Avoid NULL deref if not initialised
    - drm/panel/raspberrypi-touchscreen: Initialise the bridge in prepare
    - KVM: PPC: Fix TCE handling for VFIO
    - drm/vc4: Use pm_runtime_resume_and_get to fix pm_runtime_get_sync() usage
    - powerpc/perf: Fix power9 event alternatives
    - xtensa: patch_text: Fixup last cpu should be master
    - xtensa: fix a7 clobbering in coprocessor context load/store
    - openvswitch: fix OOB access in reserve_sfa_size()
    - ASoC: soc-dapm: fix two incorrect uses of list iterator
    - e1000e: Fix possible overflow in LTR decoding
    - ARC: entry: fix syscall_trace_exit argument
    - arm_pmu: Validate single/group leader events
    - ext4: fix symlink file size not match to file content
    - ext4: fix use-after-free in ext4_search_dir
    - ext4, doc: fix incorrect h_reserved size
    - ext4: fix overhead calculation to account for the reserved gdt blocks
    - ext4: force overhead calculation if the s_overhead_cluster makes no sense
    - jbd2: fix a potential race while discarding reserved buffers after an abort
    - spi: atmel-quadspi: Fix the buswidth adjustment between spi-mem and
      controller
    - staging: ion: Prevent incorrect reference counting behavour
    - block/compat_ioctl: fix range check in BLKGETSIZE
    - Linux 5.4.191

* Focal update: v5.4.190 upstream stable release (LP: #1973085)
    - memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
    - net/sched: flower: fix parsing of ethertype following VLAN header
    - veth: Ensure eth header is in skb's linear part
    - gpiolib: acpi: use correct format characters
    - mlxsw: i2c: Fix initialization error flow
    - net/sched: fix initialization order when updating chain 0 head
    - net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link
    - net/sched: taprio: Check if socket flags are valid
    - cfg80211: hold bss_lock while updating nontrans_list
    - drm/msm/dsi: Use connector directly in msm_dsi_manager_connector_init()
    - net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()
    - sctp: Initialize daddr on peeled off socket
    - testing/selftests/mqueue: Fix mq_perf_tests to free the allocated cpu set
    - nfc: nci: add flush_workqueue to prevent uaf
    - cifs: potential buffer overflow in handling symlinks
    - drm/amd: Add USBC connector ID
    - drm/amd/display: fix audio format not updated after edid updated
    - drm/amd/display: Update VTEM Infopacket definition
    - drm/amdkfd: Fix Incorrect VMIDs passed to HWS
    - drm/amdkfd: Check for potential null return of kmalloc_array()
    - Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
    - scsi: target: tcmu: Fix possible page UAF
    - scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
    - ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
    - gpu: ipu-v3: Fix dev_dbg frequency output
    - regulator: wm8994: Add an off-on delay for WM8994 variant
    - arm64: alternatives: mark patch_alternative() as `noinstr`
    - tlb: hugetlb: Add more sizes to tlb_remove_huge_tlb_entry
    - net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
    - drm/amd/display: Fix allocate_mst_payload assert on resume
    - powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit
    - scsi: mvsas: Add PCI ID of RocketRaid 2640
    - scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan
    - drivers: net: slip: fix NPD bug in sl_tx_timeout()
    - perf/imx_ddr: Fix undefined behavior due to shift overflowing the constant
    - mm, page_alloc: fix build_zonerefs_node()
    - mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
    - gcc-plugins: latent_entropy: use /dev/urandom
    - ath9k: Properly clear TX status area before reporting to mac80211
    - ath9k: Fix usage of driver-private space in tx_info
    - btrfs: remove unused variable in btrfs_{start,write}_dirty_block_groups()
    - btrfs: mark resumed async balance as writing
    - ALSA: hda/realtek: Add quirk for Clevo PD50PNT
    - ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
    - ipv6: fix panic when forwarding a pkt with no in6 dev
    - drm/amd/display: don't ignore alpha property on pre-multiplied mode
    - genirq/affinity: Consider that CPUs on nodes can be unbalanced
    - tick/nohz: Use WARN_ON_ONCE() to prevent console saturation
    - ARM: davinci: da850-evm: Avoid NULL pointer dereference
    - dm integrity: fix memory corruption when tag_size is less than digest size
    - smp: Fix offline cpu check in flush_smp_call_function_queue()
    - i2c: pasemi: Wait for write xfers to finish
    - dma-direct: avoid redundant memory sync for swiotlb
    - ax25: add refcount in ax25_dev to avoid UAF bugs
    - ax25: fix reference count leaks of ax25_dev
    - ax25: fix UAF bugs of net_device caused by rebinding operation
    - ax25: Fix refcount leaks caused by ax25_cb_del()
    - ax25: fix UAF bug in ax25_send_control()
    - ax25: fix NPD bug in ax25_disconnect
    - ax25: Fix NULL pointer dereferences in ax25 timers
    - ax25: Fix UAF bugs in ax25 timers
    - Linux 5.4.190

-- Stefan Bader <stefan.bader@canonical.com>  Wed, 22 Jun 2022 15:00:52 +0200

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

Ubuntu 5.4.0-117.132-generic 5.4.189 has BUG: kernel NULL pointer dereference, address: 0000000000000034

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package